To Tackle IoT Security’s Murky Future, We Need Only to Look to the Past

Now that the IoT seems to be coming into its own, more manufacturers are eagerly throwing their hats into the ring to capitalize on the rapidly growing market. However, the influx of IoT devices are missing proper security measures.

In 2017 we have seen more smart home devices being vulnerable to attack from cyber criminals. The Wikileaks Vault 7 release revealed that internet-connected televisions could be used as bugging devices. Even innocent cute teddy bears have been hacked at the cost of the privacy of children and their family. And if businesses think they’re safe, they’re far from it. The devastating Mirai malware attack on Dyn services last fall and other botnet attacks since then prove this. Not to mention that more than 90 percent of IT professional expect to see an increase in attacks.

Why are these devices proving to be so vulnerable? Many of the manufacturers trying to cash in on the IoT game are not companies that have traditionally thought about networking — or network security for that matter. Building an IoT device is more than just adding internet capabilities to a thermostat or camera. It means building in security features and preventive measures for vulnerabilities. Unfortunately, manufacturers, especially those creating low cost IoT devices, are seemingly eager to ship off IoT devices without investing in security.

Experts have even proposed that government IoT regulation is inevitable considering the lack of urgency from manufacturers and consumers alike. The Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) in the U.S. have already stepped in and released documents providing recommendations for how companies and individuals should approach security for IoT.

Therefore, one of the biggest uncertainties about the future of IoT security is whether IoT manufacturers will be able to get a handle on what it takes to develop and deliver devices that are secure out of the box. Only time will tell, but I do think there are steps that we can take today to begin addressing the issue.

Consider Protocols Created with the IoT in Mind Design challenges are a given with new technologies. For IoT, a big problem is limited computing power and memory or storage, which makes it difficult to use complex encryption or agents that require more resources. New protocols used specifically for the IoT, like Message Queuing Telemetry Transport (MQTT) and Constrained Application Protocol (CAP), need to be accounted for as well.

Stick to the Guiding Principles Developers should look at best practices established over the past 30 years of internet history in order to create secure firmware for these emerging IoT devices. Some general guidelines that are often overlooked by manufacturers and developers include: generating random admin passwords for each new devices rather than shipping with default passwords or exposing network ports and services unnecessarily. Additionally developers should implement mechanisms for devices to verify integrity at system boot time.

Conduct Regular System Checks and Updates System maintenance and updates are other key areas of consideration. Often IoT devices that are taken over with malware have known weaknesses which could have been resolved. Manufactures, ISP, and others who have responsible discloser processes for vulnerabilities and provide firmware updates addressing those issues are doing the right thing. Their actions help limit the number of IoT devices which can be used for malicious purpose.

Focusing on the security of systems, network services and applications can help achieve the goal of preventing system breaches or compromises as well as support continuous monitoring and resiliency. Initial steps like stringent authentication requirements and system orchestrations can go a long way.

Ultimately, the correct approach for IoT device security and authentication depends on the device and the traffic it will handle. To build secure IoT devices today, companies new and old need only to look to the past. Rather than reinventing the wheel, they should consider textbook security fundamentals that have been set by companies making networked devices for the past few decades.

About the author:Sean Tierney is the Director of Cyber Intelligence for Infoblox. He leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.